Protecting Critical Infrastructures

From Corporate Espionage

We know that attacks on critical infrastructures from criminal threats, corporate or industrial espionage and/or politically motivated sabotage, could threaten public safety, impact national security, or even create economic upheaval or environmental disaster. What we may not know is that a large percentage of critical infrastructures is actually privately owned and that private security forces are becoming the primary protectors of vital infrastructure. In the United States alone approximately 85% of critical infrastructure – including financial systems, telecommunications, water systems, power grids, railways and nuclear energy plants – is privately owned. The private sector owns 100% of the airlines in the United States!

Today, critical infrastructures remain highly attractive targets for such threats as corporate or industrial espionage. Among those listed as the top 100 likely targets, ­private-sector assets comprise a significant and alarming percentage. Furthermore, research carried out in the UK indicates that public confidence in critical infrastructure security is at an all-time low.

The question we need to be asking ourselves is: with a significant percent of critical infrastructures in the hands of private corporations, what measures are these companies taking to secure their installations from threats like corporate espionage?

For example, research has shown that due to the current economic climate, corporations are not investing sufficient resources in protecting infrastructures from cyber threats. The same research showed that 84% of over 100 employees surveyed in the ­critical infrastructure industry felt that companies were not doing enough to provide protection, with one in four predicting an attack in the next three months.

Cyber-spying represents a growing threat facing many companies. Melissa Hathaway, a former U.S. intelligence official and the leader of a digital security review set up by President Barack Obama, recently confirmed that “industrial cyber-espionage is one of the biggest problems that all nations are facing.”

In May 2005, for example, a London-based Israeli couple was arrested on suspicion of playing a crucial role in the largest case of industrial espionage in Israel’s history. The couple is said to have developed a highly sophisticated ‘Trojan Horse’ software, nicknamed ‘Rona,’ capable of hiding in a computer’s system and allowing free access to insiders. As many as 80 companies, including some of Israel’s largest telephone and satellite television providers are said to have benefited from the software. This case, aptly named by some as ‘Trojangate,’ brought worldwide attention to the increasing threat of corporate espionage and, more specifically, to the threat of hard to detect ‘targeted attacks.’

Since then, instances of corporate espionage have increased both in numbers and in sophistication. In January 2010 McAfee announced the results of a survey taken of 600 IT security executives from critical infrastructure enterprises throughout the world, including utility companies, banks and oil refineries, among others. According to the results of the survey, these installations are “constantly under cyber-attack and also extortion related to those attacks.”

In total, taking into account all types of corporate espionage, the cost to U.S. business alone due to illicit appropriations of technology and business ideas is estimated at between $100 - $250 billion per year.

Businesses that have been affected by incidents of corporate espionage include corporations responsible for driving critical infrastructure in the United States including General Motors, Ford, General Electric, Intel and Boeing, among others.

In a recent case, dubbed the ‘Night Dragon attacks’, reported on in February 2011, Exxon Mobil, Royal Dutch Shell, BP, and other oil companies were targeted by hackers working through internet servers in China. This incident targeted legal information, information on deals, and financial data relating to oil and gas field bids and operations. We can only imagine the extent to which the undisclosed release of this type of information could damage not only the reputation but also the operations of these and other companies.

What makes these statistics so frightening is the increasing dependency of private business, government and national security on the interdependent network of critical physical and information infrastructures including financial services, energy, telecommunications and transportation sectors. The interdependency of these systems means that an attack on one infrastructure could have a crippling effect on a number of interdependent systems.

Security Measures
We are all aware of conventional measures and tools for protecting company assets. In an attempt to curb corporate espionage, companies throughout the world invest billions in security guards, closed-­circuit security cameras, access control, body scanners, biometrics, computer passwords, locks and other security measures. While these measures are clearly important in protecting company assets, I would like to focus on two other methods which I believe are also essential in protecting critical assets.

The first key measure in securing critical infrastructure is the prioritization of assets. We know that it is impossible to protect every asset within a critical infrastructure. However, we must also remember that not all assets are equally critical. There is a need to identify the most critical assets by establishing a systematic hierarchy by which to prioritize assets and to catalog them accordingly based on tangible, ­quantifiable criteria. Because the lack of, or unclear, criteria for identifying critical assets may lead to inefficiencies – such as protecting too many or the wrong facilities, which often result in increased cost without return on investment – it is essential to define clear criteria for prioritizing critical assets.

The second and perhaps most important means by which to protect critical assets is by harnessing the capabilities of the workers themselves to identify potential irregularities within their own working environments. Elain Carey, the National Director of Investigations and Senior Vice President of Control Risks, suggests that “85 percent of the time, industrial espionage is carried out by insiders.” If this is in fact the case, then the prevailing measures for protecting critical infrastructures, such as passwords and access controls, may be entirely ineffective.

Because employees routinely come into direct contact with one another on a daily basis, they are in a unique position to detect indicators which may be out of the ordinary in the context of their working environment. Additionally, because employees are likely to be negatively affected by security breaches and incidents of corporate espionage within their companies, they have an incentive to report irregularities.

Harnessing employees and other relevant personnel, such as cleaning and maintenance staff, into the security apparatus serves as a considerable force multiplier, putting more eyes on the ground capable of utilizing their on-hand knowledge and familiarity with their routine working environment toward detecting and reporting irregular and/or out-of-the-ordinary persons, or incidents which could point toward a disgruntled employee carrying out corporate espionage within a critical infrastructure.

So how can the private sector better secure critical infrastructure? Clearly, we must balance effective risk management, physical and IT technologies and the capabilities of human resources to identify potential threats before it’s too late.  

___
Doron Bergerbest-Eilon is the former Head of the Protection and Security Division of the Israeli Security Agency (ISA), equivalent to the rank of Major General. Among other roles and responsibilities, Mr. Bergerbest-Eilon was in charge of the protection of national classified information and the National Critical Infrastructure in the State of Israel. He was also actively involved in developing, improving and regulating a national strategy for information security and critical infrastructures against cyber threats in Israel.
© FrontLine Security 2011